Adobe Flash zero day vulnerability exploited by hackers to infect IE and Firefox users

Adobe FlashAdobe has warned that online criminals are attacking Internet Explorer and Firefox users via an as-yet-unpatched zero day vulnerability in Adobe Flash.

In a security advisory, Adobe says it plans to issue an emergency update for Flash this week patching the vulnerability known as CVE-2015-0313.

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.

However, that will be too late for thousands of computer users who - according to Trend Micro - have been had their computers infected by visiting sites serving up malicious adverts that exploit the critical flaw.

Popular video-sharing site Dailymotion is said to have been one site seen distributing the malware attack via poisoned adverts.

This is, of course, the third time in the last few weeks that a zero-day vulnerability has been found in Adobe Flash. And it wouldn't be any surprise at all if some computer users are feeling somewhat bruised by the bombardment of alerts and warnings.

Further reading: How to enable Click-to-Play in Adobe Flash.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

7 Responses

  1. Tom Martin

    February 3, 2015 at 2:55 pm #

    As a newcomer to your site and alerts, this is much appreciated.

  2. Nigel

    February 3, 2015 at 3:10 pm #

    What is it about Flash that seems to make it such an attractive target for ne'er-do-wells?

    Thanks for a most helpful article!

    • Austin in reply to Nigel.

      February 3, 2015 at 9:54 pm #

      Flash is a very common, and widely used platform. 11.8% of the entirety of the web uses embedded flash in the construction of their webpages. This does not include the ads that you see displayed upon your page. Here are some of the more popular pages using it:
      Google.com
      Yahoo.com
      Mail.ru
      Bbc.co.uk
      Adobe.com
      Dailymotion.com
      Alipay.com
      Dropbox.com
      Youtube.

      As you can see Flash hits a very large target audience. Now lets look a little more deeper Flash is unique in much the way Java (another heavily attacked plugin) is that it isn't only found on one operating system or even browser. You're seeing it in IE, Firefox, Chrome, and any of the smaller distro's. This gives attackers a large range of end user's they can hit with exploits. Hope that somewhat clears things up?

      The statistics I stated came from here.
      http://w3techs.com/technologies/details/cp-flash/all/all

  3. Spryte

    February 4, 2015 at 4:32 pm #

    I've found I can live quite well without Flash on my system. Had to rebuild last year and never bothered re-installing.
    No more Flash headaches!

  4. Cyber Functions

    February 9, 2015 at 4:23 pm #

    It is sad to see that a site such as this still confuses with the meaning of the word hacker, and misuses it.

    quoted from GNU:

    A hacker is someone who enjoys playful cleverness—not necessarily with computers. The programmers in the old MIT free software community of the 60s and 70s referred to themselves as hackers. Around 1980, journalists who discovered the hacker community mistakenly took the term to mean “security breaker.”

    Please don't spread this mistake. People who break security are “crackers.”

    ———————–

    refer: https://www.gnu.org/philosophy/words-to-avoid.html#Hacker

    • Graham Cluley in reply to Cyber Functions.

      February 9, 2015 at 4:27 pm #

      I do have some sympathy with your pedantry over the term "hacker". Really, I do.

      But the folks who are trying to preserve the old definition of the word "hacker", and want to exclude the use of it being used to describe bad guys, are missing the fact that the world sadly has moved on.

      One of the challenges we all face is that computer security is it is no longer an issue just of interest to those of us with a technical bent. It's also a problem for everybody with a computer. It's an issue for the woman who does my ironing, the vicar down the lane, my grandparents and your children.

      Many of us are nostalgic for the language of yesteryear but it's more important that we spread advice and information using words that people understand, rather than tie ourselves in knots of our own making.

      I view the word "hacker" as something that can be used to describe both good guys and bad guys, but the general public is most likely to associate it with criminality.

      Some people don't like that of course. But language is dynamic and evolves, and you're not going to outshout the general media, so we better get used to it and accept it.

    • someone else in reply to Cyber Functions.

      February 14, 2015 at 11:18 pm #

      Like you, I wish it was still "hacker/cracker". Now there is no word for what used to be "hackers", probably because the concept is so foreign to the media and the public-at-large. People who fix things for other people just for the fun and satisfaction? What, are they crazy? So "hacker" now means only the bad guys. And the world trends toward dumb and simple.
      It was inevitable. Just remember the Jeffrey Theorem: Average people are so below average.

Leave a Reply